Design And Implementation Of Malware Family Traffic Classification System

The rapid development of Internet technology not only brings great convenience to people,but also promotes the spread of malware.Attackers have written a large number of malicious software to steal the private information and even property of network users,posing a huge threat to network security.At present,many malware producers use various malware code obfuscation techniques to generate a large number of malware variants,which makes some traditional malware detection methods gradually fail,and brings huge challenges to the detection and classification of malware.How to effectively detect and classify malware families has become an urgent problem to be solved in maintaining cyberspace security today.Since most malware families need to implement malicious behaviors through the network,different malware families also have differences in network traffic.Therefore,through the research on the network behavior of malware families,this paper proposes malicious behaviors based on HTTP protocol and TLS protocol respectively.The classification method of software family traffic,including the following research contents:(1)Aiming at the problem that the static detection method of malware is not effective in identifying malware variants,the paper studies the network behavior of malware families and proposes a malware traffic classification method based on HTTP protocol for malware families that use HTTP protocol as the communication method.The method studies the malware HTTP traffic and identifies the malware HTTP traffic through TCP session features,HTTP request header features,request header extension features and decision tree classification algorithm.The experimental results show that the method can achieve 98.57%accuracy in classifying HTTP traffic of malware family.(2)Aiming at the problem that the feature extraction of encrypted TLS traffic of malware family is one-sided and cannot fully reflect the traffic information,the paper studies the network behavior of malware families and proposes a malware traffic classification method based on TLS protocol for malware families that use TLS protocol as the communication method.The method extracts the features of malware TLS traffic from two dimensions of TLS handshake features and statistical features,the paper also proposes a sequential feature extraction method based on TLS records,then combines the random forest classification algorithm to achieve accurate identification of malware TLS traffic.The experimental results show that the method has an accuracy of 98.75% in classifying the malware family TLS traffic.(3)Based on the above methods,the paper designs and implements a malware family traffic classification system.The system is implemented based on the Flask framework,mainly including malware static analysis,malware traffic collection,malware traffic data display,malware traffic analysis and classification modules,and provides a web visualization interface.The test results show that the system has good usability.